Meraki

Community

VPN Connectivity OK, but Clients Have No Internet Access

Solved
overblower
Here to help
yesterday
yesterday

VPN Connectivity OK, but Clients Have No Internet Access

Hi All,

There are two separate MX75 appliances in two different locations.


Location D1

  • MX IP: 143.161.65.1

  • Clients: 143.161.65.0/24

Location D2

  • MX IP: 143.161.64.1

  • Clients: 143.161.64.0/24

The D1 appliance can ping the D2 appliance.
The D1 appliance can also ping google.com.
The D2 appliance can ping google.com as well.
Clients from D1 and D2 can ping each other.

However, clients connected to the MX ports cannot ping google.com. They cannot reach the internet.

Could you please support us in this case?
Thank you in advance

0 Kudos
1 Accepted Solution
In response to overblower
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Screenshot 2025-10-08 at 07.58.53.png

If you previously assigned a manual custom GP and applied it to select clients, these clients might still be looking for the deleted manual custom GP.

Have you tried to whitelist (allow list) these clients?  

 

Or you can select them and re-assign the normal profile so they aren't looking for a previously assigned manual custom GP.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

15 Replies 15
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Hello @overblower - on Friday you had a post asking how to Block Internet Access but Allow Auto VPN Communication on MX75.  If you happened to implemented the changes suggested, that might be the reason you aren't able to access the internet.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
overblower
Here to help
yesterday
yesterday

I know, but things have changed. I deleted the group policy.

0 Kudos
In response to overblower
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Do the clients connected to the MX ports have a "normal" group policy or are they using a group policy that you have created?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
overblower
Here to help
yesterday
yesterday

The group policy is online for all of them

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

How are your firewall rules and content filtering configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
overblower
Here to help
yesterday
yesterday

overblower_0-1759927512308.png

 

We also noticed that if another client connects to the MX port and sets its IPv4 settings to "automatic," it gets an IP from the MX and is able to reach the internet.

 

However, other computers that we configured with a manual IP are able to ping the other location via VPN, but they are not able to reach the internet.

0 Kudos
In response to overblower
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Interesting, in this case validate if gateway, subnet mask and DNS are configured correctly.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Wasn't that exactly what you asked for in that other thread?

I'm confused now. 🤔

 

https://community.meraki.com/t5/Security-SD-WAN/Block-Internet-Access-but-Allow-Auto-VPN-Communicati...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
overblower
Here to help
yesterday
yesterday

Yes, but we decided to allow internet access as well. We didn’t apply the policy. So let’s focus on this thread and ignore the other one.

0 Kudos
In response to overblower
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Screenshot 2025-10-08 at 07.58.53.png

If you previously assigned a manual custom GP and applied it to select clients, these clients might still be looking for the deleted manual custom GP.

Have you tried to whitelist (allow list) these clients?  

 

Or you can select them and re-assign the normal profile so they aren't looking for a previously assigned manual custom GP.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
overblower
Here to help
yesterday
yesterday

After I added these clients to the whitelist (allow list), it worked.

Only one thing is strange:

143.161.64.217 from D2 can ping 143.161.65.50 from D1.

But 143.161.65.50 cannot ping 143.161.64.217.

0 Kudos
In response to overblower
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I would check each device's group policy and how DNS is configured for each.  @ww provided a good way to see what GP is applied to each device (just below).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to overblower
ww
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Also check the " show details"  on the client page. It should give you info on what rules are currently used

RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

And as mentioned already by @alemabrahao checking your gateway, subnet mask and DNS are configured correctly. 

I would also encourage you to "double check" how clients are being assigned static / dynamic IPs - meaning have you properly allocated the reserve IP reservations and fixed IP reservations?  

These can also come into the equation if not applied correctly. 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If you click on a client, on the right-hand side, it shows all the firewall rules and policies that are being applied to the user.

 

PhilipDAth_0-1759948402553.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.